b"OFFICE OF INSPECTOR GENERAL\n\n\n\nAUDIT OF USAID\xe2\x80\x99S\nINFORMATION TECHNOLOGY\nGOVERNANCE OVER ITS\nPHOENIX OVERSEAS\nDEPLOYMENT AND\nPROCUREMENT SYSTEM\nIMPROVEMENT PROGRAM\nPROJECTS\nAUDIT REPORT NO. A-000-06-001-P\nFebruary 21, 2006\n\n\n\n\nWASHINGTON, DC\n\n\x0cOffice of Inspector General\n\n\nFebruary 21, 2006\n\nMEMORANDUM\n\nTO:       \t          Acting Chief Information Officer, John Streufert\n                     Director Office of Acquisition and Assistance, Michael Walsh\n                     Chief Financial Officer, Lisa D. Fiely\n                     Director PPC/RA, Patricia Sommers\n                     Director PPC/SPP, Roberta Mahoney\n\nFROM:\t               IG/A/ITSA Director, Melinda G. Dempsey /s/\n\nSUBJECT:\t            Audit of USAID\xe2\x80\x99s Information Technology Governance over Its Phoenix Overseas\n                     Deployment and Procurement System Improvement Program Projects (Report\n                     No. A-000-06-001-P)\n\nThis is our audit report on USAID\xe2\x80\x99s information technology governance over its Phoenix Overseas\nDeployment and Procurement System Improvement Program projects. In finalizing the report, we\nconsidered your comments on our draft report and have included them in their entirety as\nAppendix II.\n\nThis report contains six recommendations to help USAID improve its governance over Agency\ninformation technology initiatives. Based on your comments to our draft report, we consider that\nmanagement decisions have been reached for Recommendation Nos. 1, 2, 3, 4, 5, and 6. For\nthese recommendations, please notify the Bureau for Management\xe2\x80\x99s Audit, Performance and\nCompliance Division when final action is completed.\n\nI want to express my sincere appreciation for the cooperation and courtesies extended to my\nstaff during this audit.\n\n\n\n\nU.S. Agency for International Development\n1300 Pennsylvania Avenue, NW\nWashington, DC 20523\nwww.usaid.gov\n\x0cCONTENTS\n\nSummary of Results ....................................................................................................... 1 \n\n\nBackground ..................................................................................................................... 2 \n\n\nAudit Objective .................................................................................................................. 3 \n\n\nAudit Finding ................................................................................................................... 4 \n\n\n     USAID Did Not Implement Several Key\n     Components of an Effective Information\n     Technology Governance Structure. ............................................................................ 5 \n\n\nEvaluation of Management Comments ....................................................................... 21 \n\n\nAppendix I \xe2\x80\x93 Scope and Methodology ........................................................................ 26 \n\n\nAppendix II \xe2\x80\x93 Management Comments ....................................................................... 28 \n\n\x0cSUMMARY OF RESULTS\n\nThe Information Technology and Special Audits Division of the Office of Inspector\nGeneral in Washington, D.C. completed this audit to help the U.S. Agency for\nInternational Development (USAID) correct its long-standing material weakness in its\ninformation resources management processes. Specifically, this audit was initiated to\ndetermine whether USAID used Federal requirements and best practices to implement\nan integrated process to manage and control its Phoenix Overseas Deployment (POD)\nand Procurements System Improvement Program (PSIP) projects. (See page 3.)\n\nUSAID utilized some Federal requirements and best practices to implement an\nintegrated process to manage and control its Phoenix Overseas Deployment and\nProcurement System Improvement Program projects, but did not implement several\ncomponents of an effective information technology (IT) governance structure.\nSpecifically, USAID did not:\n\n\xe2\x80\xa2\t     Update its information resources management strategic plan.\n\n\xe2\x80\xa2\t     Fully develop an Agency Enterprise Architecture.\n\n\xe2\x80\xa2\t     Prepare, complete, and/or codify some policy and procedures for its IT\n       processes.\n\n\xe2\x80\xa2\t     Fully establish its Program Management Office. (See pages 5-12.)\n\nThese weaknesses occurred primarily because USAID did not provide its\xe2\x80\x99 Chief\nInformation Officer with control to ensure sufficient resources were available for an\neffective IT governance structure. As a result of the weaknesses, USAID did not always\nuse its IT resources responsibly and manage its IT risks appropriately. Specifically,\nUSAID was unsuccessful with its PSIP project and had some undisciplined practices that\nled to deficiencies in its POD project. Moreover, USAID may continue to:\n\n\xe2\x80\xa2\t     Have difficulty aligning its IT with the business.\n\n\xe2\x80\xa2\t     Develop its systems in a \xe2\x80\x9cstovepipe\xe2\x80\x9d manner.\n\n\xe2\x80\xa2\t     Be unable to repeat its successes and thus maximize IT resources.         (See\n       pages 12-20.)\n\nAs such, we are making six recommendations to help USAID improve its IT governance\nover Agency IT initiatives. (See pages 7, 9, 10, 12, and 13.) Although USAID\nmanagement disagreed with some statements made in the report, they agreed to take\ncorrective actions to implement all of the recommendations. (See pages 21-25.)\n\n\n\n\n                                                                                    1\n\x0cBACKGROUND\n\nThe Clinger-Cohen Act of 1996 requires the heads of executive agencies to implement a\nprocess that maximizes the value and assesses and manages the risks involved in\ninformation technology (IT) investments. The process is to include, among other things:\n\n\xe2\x80\xa2\t     Procedures to select, manage, and evaluate investments.\n\n\xe2\x80\xa2\t     A means for senior managers to monitor progress in terms of costs, system\n       capabilities, timeliness, and quality.\n\nIT governance provides the structure that links IT processes, resources and information to\nenterprise strategies and objectives. The objectives are to (1) align IT with the business,\nenable the business and maximize resources; (2) use IT resources responsibly; and\n(3) appropriately manage IT risks. IT governance is especially important in an environment\nwhere the Chief Information Officer has limited funds. Some of the key components of an\nIT governance structure are:\n\n\xe2\x80\xa2\t     An information resources management strategic plan, which provides a description\n       of how information resources management activities help accomplish agency\n       missions.\n\n\xe2\x80\xa2\t     An enterprise architecture, which is a description and documentation of the current\n       and desired relationships among business and management processes and IT.\n\n\xe2\x80\xa2\t     IT policies and procedures.\n\n\xe2\x80\xa2\t     IT organizational structure.\n\n\xe2\x80\xa2\t     Controls to manage the project, its associated risks, and the quality of deliverables.\n\nAccording to USAID\xe2\x80\x99s fiscal year 2004 \xe2\x80\x9cPerformance and Accountability Report,\xe2\x80\x9d USAID\nhas taken steps to meet the goals of its business transformation\xe2\x80\x94a multi-year, multi-step\nplan to reform the Agency\xe2\x80\x99s management systems and improve organizational\nperformance. One component of USAID's transformation initiative is the Agency\xe2\x80\x99s\nBusiness Systems Modernization plan to establish a worldwide business platform capable\nof supporting higher levels of performance. The plan\xe2\x80\x99s overall goal is to enhance the\ndelivery of Agency services and programs through Internet-enabled, globally deployed\nsystems and standardized processes and practices.\n\nTwo key IT initiatives under the Business Systems Modernization plan are:\n\n\xe2\x80\xa2\t     Phoenix Overseas Deployment Project - In an effort to correct a longstanding\n       material weakness with its accounting system, USAID is deploying its core\n       accounting system (called Phoenix) to its overseas Controller missions. In\n       August 2004, USAID put the system into production at five pilot missions.\n       Subsequently, USAID went live with Phoenix in its missions in (1) Latin American\n       and Caribbean and (2) Europe and Eurasia regions in February 2005 and\n       July 2005, respectively. Over the next year, USAID plans to deploy the system to\n\n\n                                                                                            2\n\x0c        its missions in the remaining two regions, (1) Africa and (2) Asia and the Near East.\n        USAID\xe2\x80\x99s estimate of the cost to implement the system is $26.5 million. 1\n\n\xe2\x80\xa2\t      Procurement System Improvement Program (PSIP) \xe2\x80\x93 In August 2004, USAID\n        began its PSIP project to improve the efficiency and effectiveness of acquisition and\n        assistance processes throughout the Agency. Specifically, the project is designed\n        to (1) replace the New Management System legacy system for Acquisition and\n        Assistance, which is used only in USAID/Washington, and (2) automate the paper\n        process at USAID missions\xe2\x80\x94which initiate more than half of the Agency\xe2\x80\x99s\n        procurement transactions. To accomplish such improvements, USAID planned to\n        implement a commercial off-the-shelf solution at a cost of approximately\n        $26.8 million.\n\nSince 1997, USAID has reported a material weakness 2 in its information resources\nmanagement processes. The key weakness was that USAID's IT programs lacked\nsufficient safeguards against waste and mismanagement, as demonstrated by the (then)\nover-budget, unsuccessful attempt to rollout the Agency's new management information\nsystems. Specifically, the Agency did not have a:\n\n\xe2\x80\xa2\t      Strategically oriented IT capital investment planning, budgeting, and acquisition\n        process.\n\n\xe2\x80\xa2\t      Tactically oriented IT investment program management control capacity.\n\nIn November 2004, USAID reported that closure of the material weakness was\ncontingent upon the full implementation of tactically oriented program management and\noversight practices. Further, USAID would demonstrate that such practices were\neffective by completing the implementation of a project, which was expected by the end\nof fiscal year 2005.\n\nAUDIT OBJECTIVE\nThis audit was initiated to help USAID correct its material weakness in its information\nresources management processes. As such, this audit was added to the Office of\nInspector General\xe2\x80\x99s annual audit plan to answer the following question:\n\n        Did USAID utilize Federal requirements and best practices to implement an\n        integrated process to manage and control its Phoenix Overseas\n        Deployment and Procurement System Improvement Program projects?\n\nAppendix I contains a discussion of the audit\xe2\x80\x99s scope and methodology.\n\n\n\n\n1\n  Subsequent to our audit fieldwork, USAID deployed Phoenix in its ANE missions on \n\nDecember 13, 2006. \n\n2\n  This material weakness is reported pursuant to the Federal Managers\xe2\x80\x99 Financial Integrity Act.\n\n\n\n                                                                                                   3\n\x0cAUDIT FINDINGS\n\nUSAID utilized some Federal requirements and best practices to implement an\nintegrated process to manage and control its Phoenix Overseas Deployment (POD) and\nProcurement System Improvement Program projects (PSIP), but did not implement\nseveral components of an effective information technology (IT) governance structure.\n\nFor example, USAID utilized the following Federal requirements and best practices to\nmanage and control its projects:\n\n\xe2\x80\xa2\t     Increased the staffing of its Program Management Office (PMO).\n\n\xe2\x80\xa2\t     Appointed Directors for its Office of Information Resources Management and\n       PMO.\n\n\xe2\x80\xa2\t     Established a Business Transformation Executive Committee to provide Agency-\n       wide leadership for initiatives and investments to transform USAID business\n       systems and organizational performance.\n\nIn addition, USAID created some resources for Agency IT initiatives. For example, it:\n\n\xe2\x80\xa2\t     Published its \xe2\x80\x9cRisk Management Plan,\xe2\x80\x9d which provides a framework for teams to\n       take appropriate measures to minimize adverse impacts to scope, cost, and\n       schedule.\n\n\xe2\x80\xa2\t     Published a \xe2\x80\x9cQuality Control Plan,\xe2\x80\x9d which, according to the document,\n       establishes quality control for Business Transformation projects through the\n       application of planning, monitoring, deliverable review, and reporting activities.\n\n\xe2\x80\xa2\t     Substantially revised its policy directives for planning, budgeting, and managing\n       USAID's capital IT assets, which, among other requirements, added a quarterly\n       review process for IT investments.\n\n\xe2\x80\xa2\t     Drafted an Automated Directives System chapter that addresses earned value\n       management, a technique that provides project managers and others visibility\n       into the technical, cost, and schedule progress of their projects and contracts.\n\nNonetheless, USAID did not implement several components of an effective IT\ngovernance structure. Specifically, USAID did not (1) update its information resources\nmanagement (IRM) strategic plan, (2) fully develop an Agency enterprise architecture\n(EA), (3) prepare, complete, and/or codify some policy and procedures for its IT\nprocesses, and (4) fully establish its PMO. In the finding (below), the first major section\n\xe2\x80\x9cSeveral Key Components of an Effective IT Governance Structure Needed\xe2\x80\x9d (pages 5\n12) discusses these problem areas. The second major section, \xe2\x80\x9cCIO Not Provided\nControl To Ensure Sufficient Resources for an Effective IT Governance Structure\xe2\x80\x9d\n(pages 12-14) discusses the causes of the problem areas. The third major section, \xe2\x80\x9cIT\nResources Not Always Used Responsibly and IT Risks Not Always Managed\nAppropriately\xe2\x80\x9d (pages 14-20) discusses the impact of the problem areas.\n\n\n\n                                                                                         4\n\x0cUSAID Did Not Implement\nSeveral Key Components of an\nEffective IT Governance\nStructure\n\n  Summary: USAID did not implement several key components of an effective IT\n  governance structure, as required by Federal requirements and best practices.\n  Specifically, USAID did not (1) update its IRM strategic plan, (2) fully develop an\n  Agency EA, (3) prepare, complete, and/or codify some policy and procedures for its\n  IT processes, and (4) fully establish its PMO. These weaknesses occurred\n  primarily because USAID\xe2\x80\x99s CIO was not provided control to ensure sufficient\n  resources for an effective IT governance structure. As a result, USAID did not\n  always use its IT resources responsibly and manage its IT risks appropriately.\n  Specifically, USAID was unsuccessful with its PSIP project and used some\n  undisciplined practices that led to deficiencies in its POD project. Moreover, USAID\n  may continue to (1) have difficulty aligning its IT with the business, (2) develop its\n  systems in a \xe2\x80\x9cstovepipe\xe2\x80\x9d manner, and (3) be unable to repeat its successes and thus\n  maximize IT resources. The following paragraphs discuss this issue in detail.\n\n\n\nSeveral Key Components of an Effective IT Governance Structure Needed \xe2\x80\x93 As\ndiscussed below, USAID did not implement several key components of an effective IT\ngovernance structure.\n\n        IRM Strategic Plan Outdated - Office of Management and Budget (OMB)\nCircular No. A-130, \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d establishes policy\nfor the management of Federal information resources. The Circular states that, in the\ncapital planning and investment control process, agencies must prepare an IRM plan\nthat is strategic in nature and addresses all aspects of information resources\nmanagement of the agency. IRM Strategic Plans should support the agency Strategic\nPlan; provide a description of how information resources management activities help\naccomplish agency missions; and ensure that IRM decisions are integrated with\norganizational planning, budget, procurement, financial management, human resources\nmanagement, and program decisions.\n\nFurther, Automated Directives System (ADS) 542, \xe2\x80\x9cPlanning and Budgeting for IT\nResources,\xe2\x80\x9d provides a framework and the essential procedures for planning and\nbudgeting for information management and IT resources to carry out the Agency's\nmission, goals, and objectives. Section 542.5.2 requires that USAID develop an\nAgency-wide IRM Strategic Plan for the creation, collection, processing, transmission,\nuse, storage, dissemination, and disposition of information. It also states that the IRM\nstrategic planning process shall support the Agency\xe2\x80\x99s current and future mission and\nprogram needs, and include participation from the Agency's bureaus, independent\noffices, and missions. The ADS further states that the IRM Strategic Plan shall serve as\nthe cornerstone for formulating the Agency-wide IRM budget submission to OMB.\nFinally, section E542.5.2 requires that the IRM Strategic Plan be updated annually.\n\n\n\n\n                                                                                           5\n\x0cIn February 2005, the Office of Inspector General reported that USAID had not updated\nits plan since 2000. 3 For this reason, the audit recommended that USAID\xe2\x80\x99s Chief\nInformation Officer update the IRM plan to address the Agency\xe2\x80\x99s information technology\nrequirements, priorities, and infrastructure challenges over the next five years. In\nresponse to the audit report, USAID\xe2\x80\x99s Chief Information Officer agreed to revise the plan.\nTo accomplish this, USAID tasked a contractor to incorporate USAID\xe2\x80\x99s unique business\nrequirements into the 2006-2010 plan. Because USAID is continuing to update its IRM\nstrategic plan, we are not making a recommendation at this time.\n\n        EA Not Fully Developed \xe2\x80\x93 According to OMB A-130, an agency\xe2\x80\x99s capital\nplanning and investment controls process must build from the agency\xe2\x80\x99s current EA. An\nEA is defined as \xe2\x80\x9cthe explicit description and documentation of the current and desired\nrelationships among business and management processes and information technology.\xe2\x80\x9d\nThe EA includes:\n\n\xe2\x80\xa2\t     The rules, standards, and life-cycle information to optimize and maintain the\n       environment which the agency wishes to create and maintain by managing its IT\n       portfolio.\n\n\xe2\x80\xa2\t     A strategy that will enable the agency to support its current state and also act as\n       the roadmap for transition to its target environment.\n\n\xe2\x80\xa2\t     Principles and goals to set direction in the areas of promoting interoperability\n       open systems, public access, end-user satisfaction, and IT security.\n\nTo create and maintain an EA, agencies must have a framework to document linkages\nbetween mission needs, information content, and information technology capabilities.\nThis framework will guide both strategic and operational IRM planning. Once the\nframework is established, the agency must create the EA.\n\nUSAID adopted the CIO Council\xe2\x80\x99s \xe2\x80\x9cFederal Enterprise Architecture Framework\xe2\x80\x9d\n(September 1999) as its EA framework. The Federal EA framework defines five major\ncomponents that are needed to develop an EA:\n\n\xe2\x80\xa2\t     A data reference model, which promotes the common identification, use, and\n       appropriate sharing of data/information.\n\n\xe2\x80\xa2\t     A business reference model, which describes the Federal government's line of\n       business in an effort to promote agency collaboration.\n\n\xe2\x80\xa2\t     A technical reference model, which provides a foundation to describe the\n       standards, specifications, and technologies supporting the secure delivery,\n       exchange, and construction of business components and e-Gov solutions.\n\n\xe2\x80\xa2\t     A service component reference model, which classifies service components with\n       respect to how they support business and/or performance objectives.\n\n\n\n3\n Audit Report No. A-000-05-006-P, \xe2\x80\x9cAudit of USAID\xe2\x80\x99s Information Technology Infrastructure,\xe2\x80\x9d\nFebruary 22, 2005\n\n\n                                                                                              6\n\x0c\xe2\x80\xa2\t      A performance reference model, which provides a suggested process to develop\n        IT performance information that can be used to improve decision-making and\n        performance.\n\nIn March 2004, USAID completed its EA (both current and desired) for the Agency\xe2\x80\x99s\nHIV/AIDS Programs. According to USAID officials, some of the lessons learned from\nthat EA will be applied to the Agency-wide EA. Using OMB\xe2\x80\x99s \xe2\x80\x9cGuidelines for Enterprise\nArchitecture Assessment Framework,\xe2\x80\x9d (April 2004), USAID officials self-assessed the\nEA for the HIV/AIDS program at 3.94 out of 5 possible points. 4\n\nTo date, USAID has developed the current (or as-is) EA for the business, technical,\nservice component, and performance reference models. However, USAID has not yet\ndeveloped a current EA for the data reference model\xe2\x80\x94a critical component\xe2\x80\x94which\nidentifies the manner in which data are organized and integrated. Moreover, USAID has\nnot yet developed the desired (or \xe2\x80\x9cto be\xe2\x80\x9d) EA. As such, USAID has not integrated its\nbusiness process and information in a holistic way to guarantee an alignment of\nbusiness and technology. Therefore, we are making the following recommendation.\n\n     Recommendation No. 1: We recommend that the Chief of the USAID Program\n     Management Office\xe2\x80\x99s Business Enterprise Architecture Division develop and\n     implement a plan to address the enterprise architecture needs of the Agency.\n\nEvaluation of Management Comments - In response to the draft audit report, USAID\nmanagement noted that the Joint Enterprise Architecture is currently managed by the\nDepartment of State. Based on Agency\xe2\x80\x99s comments and further discussions, we\nmodified our recommendation that USAID complete the development of its current and\ndesired enterprise architecture, in accordance with Office of Management and Budget\nCircular No. A-130. Nevertheless, USAID management agreed to develop a project plan\nthat will address USAID's enterprise architecture objectives. For the Executive\nInformation System, USAID management agreed to develop a data reference model\nfocusing on the data that supports the program and activities management. Further,\nUSAID management stated that other elements of the model will be developed as\nbudget and management priorities permit. Based on the above, we consider that a\nmanagement decision has been reached for Recommendation No. 1.\n\n\n        Many Policies 5 and Procedures 6 Non-Existent, Fragmented, and/or Not\nCodified in ADS \xe2\x80\x93 According to the ADS 101, \xe2\x80\x9cAgency Programs and Functions,\xe2\x80\x9d the\nPMO's Enabling Technologies and Integration Division\xe2\x80\x99s responsibilities include\nestablishing and maintaining Agency policies, processes, and procedures regarding the\ninformation technology life cycle, systems engineering, program management, methods\nand activities.\n\nUSAID\xe2\x80\x99s PMO created the online Project Management Guidebook (the Guidebook) to\nprovide IT managers with a standardized approach to managing IT projects. The\nGuidebook states that its guidelines are consistent with best practices from the Project\n\n4\n  Unaudited\n5\n  Policies are clear and concise rules and regulations necessary for the conduct of Agency\nbusiness.\n6\n  Procedures are detailed courses of action that must be followed.\n\n\n                                                                                        7\n\x0cManagement Institute and Software Engineering Institute. 7 The Guidebook identifies\nphases for each IT project, which consist of a series of required and discretionary\nactivities.\n\nWhile the Guidebook is a beginning, as discussed below, more work is needed as many\npolicies and procedures were non-existent, fragmented, and/or not codified in the ADS,\nUSAID's official Agency-level policies and procedures.\n\nMany Policies and Procedures Non-Existent \xe2\x80\x93 The Guidebook identifies ADS\nChapter 577, \xe2\x80\x9cInformation Technology Capital Planning and Investment Control\xe2\x80\x9d as the\nAgency\xe2\x80\x99s policy and procedures for most activities of one project phase.\n\nHowever, USAID did not establish policies and procedures for any of the other nine\nproject phases or the corresponding activities. For example, USAID did not develop\npolicies and procedures for:\n\n\xe2\x80\xa2\t        Developing user requirements.\n\n\xe2\x80\xa2\t        Handling users' qualified acceptance of a new system (e.g., either fully address\n          user concerns before moving forward or obtain a waiver).\n\n\xe2\x80\xa2\t        Completing operational readiness reviews when deploying a system.\n\n\xe2\x80\xa2\t        Performing tests of software before it can be selected and procured.\n\n\xe2\x80\xa2\t        Conducting independent verification and validation as a standard part of project\n          development based on, for example, dollar or project impact thresholds.\n\nIn addition, although the Guidebook states that many of the activities are discretionary\ndepending on the system and may be abbreviated or merged with other documents\nand/or activities, USAID did not establish policies and procedures for determining when\nthose activities should be performed. For example, USAID did not establish what factors\n(e.g., risk of investment, dollar threshold, or impact of the system on the Agency as a\nwhole) must be considered when determining whether the discretionary activities should\nbe performed.\n\nFinally, USAID did not establish policies and procedures to identify the required inputs or\noutputs (e.g., plans, decision points, and reports) to move to the next phase of the\nproject.\n\nSimilarly, an April 2005 study 8 performed on USAID\xe2\x80\x99s behalf states that many of the\nADS documents were developed \xe2\x80\x9c\xe2\x80\xa6without a common, or centralized, management\napproach to IT governance and only tangentially address some of the elements of IT\ngovernance\xe2\x80\xa6.\xe2\x80\x9d Therefore, we are making the following recommendation.\n\n\n\n\n7\n    The Software Engineering Institute is a part of Carnegie Mellon University.\n8\n    \xe2\x80\x9cUSAID IT Governance: Current Structure,\xe2\x80\x9d April 2005\n\n\n                                                                                         8\n\x0c   Recommendation No. 2: We recommend that the Chief of the USAID Program\n   Management Office's Enabling Technologies and Integration Division develop\n   USAID\xe2\x80\x99s policies and procedures for each phase and activity of the Agency\xe2\x80\x99s\n   project life cycle, including performance metrics and measures.\n\nEvaluation of Management Comments - In response to the draft audit report, USAID\nmanagement agreed to coordinate the development of USAID\xe2\x80\x99s IT Project Management\nControl Manual (the manual) which will describe the the policies and procedures for\neach phase and activity of the Agency\xe2\x80\x99s information technology (IT) project life cycle.\nThe manual will be a mandatory reference to the Automated Directive System (ADS).\nBased on the above, we consider that a management decision has been reached for\nRecommendation No. 2.\n\n\nSome Polices and Procedures Fragmented \xe2\x80\x93 According to the Government\nAccountability Office\xe2\x80\x99s Standards of Internal Controls in the Federal Government, all\nsignificant events need to be clearly documented, and the documentation should be\nreadily available for examination. However, although USAID developed ADS 577,\n\xe2\x80\x9cInformation Technology Capital Planning and Investment Control,\xe2\x80\x9d that directive does\nnot provide policy and procedures for validating and maintaining the support for cost\ninformation in the OMB 300s. OMB 300s are designed to (among other things) present\nthe business case for making the investment, including cost, schedule, and performance\ngoals for the investment.\n\nValidating and maintaining the support for cost information is necessary because cost\nestimates undergo numerous iterations during their life cycle. According to USAID\nofficials, the estimates often start as a white-boarding exercise that gets firmed up using\nthe collective knowledge base of all of the participants. This cycle is repeated as often\nas necessary. Next, USAID and the OMB adjust the estimates during the normal review\nprocess. Due to these necessary but complex procedures, it is difficult to trace the final\nestimates with the business decision that created them, unless supporting\ndocumentation is maintained. As a result, decision-makers make capital investment\ndecisions without the ability to validate the costs of individual components and the costs\nassociated with each budget year.             Therefore, we are making the following\nrecommendation.\n\n   Recommendation No. 3: We recommend that the Chief of USAID Program\n   Management Office's Enabling Technologies and Integration Division prepare\n   Agency policies and procedures for preparing Office of Management and Budget\n   Exhibit 300s to require that documentation be maintained for cost estimates and\n   that the cost estimates be validated.\n\nEvaluation of Management Comments - In response to the draft audit report, USAID\nmanagement agreed to develop guidance for preparing IT system life cycle cost\nestimates and their validation. This guidance will be a mandatory reference to the ADS.\nIn addition, the earned value managent procedures (developed in response to\nrecommendation 4) will include a requirement for the validation of major investment\nperformance baselines. Based on the above, we consider that a management decision\nhas been reached for Recommendation No. 3.\n\n\n\n\n                                                                                         9\n\x0cSome Policies and Procedures Not Codified in ADS \xe2\x80\x93 According to ADS 501, \xe2\x80\x9cThe\nAutomated Directives System,\xe2\x80\x9d section 501.3.1, all Agency-level internally created policy\ndirectives and required procedures must be codified in the ADS. However, although\nUSAID developed some standards that should be followed for IT projects and made\nthose standards available on the PMO website, policies and procedures for following\nthose standards have not been incorporated into the ADS. Such examples include the\nrisk management plan and the quality control plan, as described below.\n\n\xe2\x80\xa2\t      Risk Management Plan \xe2\x80\x93 According to the PMO\xe2\x80\x99s risk management plan, it\n        provides (1) a framework for teams to take appropriate measures to minimize\n        adverse impacts to scope, cost, and schedule; and (2) USAID Executive\n        Sponsors, Business Transformation Project Managers, and Governance Bodies\n        with processes and information to make decisions regarding project and program\n        alternatives. Although that document is available on the PMO's website, a\n        requirement to follow it has not been incorporated into USAID's Automated\n        Directives System.\n\n\xe2\x80\xa2\t      Quality Control Plan \xe2\x80\x93 According to the PMO\xe2\x80\x99s Quality Control Plan, it\n        establishes the policy for quality control for Business Transformation projects\n        through the application of planning, monitoring, deliverable review, and reporting\n        activities. Although that document is available on the PMO's website, a\n        requirement to follow it has not been incorporated into USAID's Automated\n        Directives System.\n\nTherefore, we are making the following recommendation.\n\n     Recommendation No. 4: We recommend that the Chief of the USAID Program\n     Management Office's Enabling Technologies and Integration Division codify\n     USAID\xe2\x80\x99s policies and procedures for project risk management, quality control,\n     and earned value management in accordance with USAID\xe2\x80\x99s Automated\n     Directives System Chapter 501.\n\nEvaluation of Management Comments - In response to the draft audit report, USAID\nmanagement agreed to develop and codify project policies and procedures for project\nrisk management, quality control, and earned value management. Based on the above,\nwe consider that a management decision has been reached for Recommendation No. 4.\n\n\n        PMO Evolving and Not Fully Established \xe2\x80\x93 In a March 1999 audit, 9 the OIG\nreported that USAID continued to manage its modernization through committees rather\nthan by adopting the recommended program management approach. As a result,\nUSAID\xe2\x80\x99s risk that the modernization efforts would encounter delays and cost increases\nand that the new system would not operate effectively when deployed increased\nsignificantly. To correct the weakness, the audit report recommended that USAID's\nChief Information Officer work collaboratively to establish a strong program management\noffice or function, with sufficient responsibility, authority, and resources to apply\ndisciplined practices to implement financial management system improvements.\n\n9\n Audit Report No. A-000-99-003-P, \xe2\x80\x9cAudit of USAID\xe2\x80\x99s Progress Implementing a Financial\nManagement System That Meets Federal Financial Management Improvement Act\nRequirements,\xe2\x80\x9d March 1, 1999.\n\n\n                                                                                       10\n\x0cTherefore, USAID's Business Transformation Executive Committee established the PMO\nto (1) improve and standardize project management practices used by Agency project\nteams and (2) provide assistance to Business System Modernization and other projects.\nThe overall goal of the PMO is to accelerate delivery of business benefits from\ninvestments by using proven tools, processes and knowledge to meet project scope,\nquality, schedule, and cost expectations and contractual obligations. According to the\nPMO charter (May 25, 2004), the PMO is responsible for:\n\n\xe2\x80\xa2\t     Creating and maintaining USAID\xe2\x80\x99s EA and a range of technical and process\n       standards.\n\n\xe2\x80\xa2\t     Coordinating project management activities across the Agency\xe2\x80\x99s major projects,\n       driving accountability for results, and providing an effective and repeatable\n       project implementation capability.\n\n\xe2\x80\xa2\t     Creating and implementing a PMO program of continuous self-improvement to\n       advance the maturity of project and program management at USAID.\n\nHowever, the scope of the PMO was intended to evolve as USAID improves its level of\nproject management maturity. For this reason, the PMO was chartered to initially focus\nonly on advising and mentoring four priority Business System Modernization projects\nand take on additional IT projects as the PMO expanded. Those four priority projects\nwere (1) POD and the steady operations and maintenance of Phoenix, (2) EA, (3) PSIP,\nand (4) USAID\xe2\x80\x99s eGovernment Project Portfolio, which is intended to improve access to\nInternet services across agencies.\n\nTo continue the maturation of the PMO, USAID developed a Maturity Model and\nImplementation Plan (the Plan) to provide a framework to guide the development of the\nPMO, defining capability targets and measuring progress made towards the goals.\nAccording to the Plan, it is a forward-looking model for attaining project management\nmaturity, the degree to which the PMO has acquired the tools, knowledge, and\nprocesses necessary to repeatedly complete successful projects on schedule and within\nbudget. The Plan established three PMO target stages of maturity over the next three\nyears:\n\n\xe2\x80\xa2\t     Stage 1: Design and Develop Project Management Standards, Tools, Templates\n       and Processes.\n\n\xe2\x80\xa2\t     Stage 2: Implementation and Adoption of Tools, Templates and Processes\n       across BTEC PMO project portfolio.\n\n\xe2\x80\xa2\t     Stage 3: Coordination, Integration, and Optimization of Project Management\n       Standards, Tools, Templates, and Processes across projects.\n\nTo date, the PMO has accomplished several required actions for Stage 1. For example,\nit has developed some standards and documents, such as a risk management, a quality\nassurance plan, and a project charter template. However, the PMO remained in Stage 1\nas it continued to design and develop project management standards.\n\n\n\n\n                                                                                   11\n\x0cAccording to PMO officials, because USAID did not receive funding to continue the\nmaturation of the PMO, PMO efforts have been redirected to focus resources on (1) the\nUSAID Administrator's priorities for Business Systems Modernization and (2) legislative\nand regulatory mandates that are being reinforced through the President's Management\nAgenda. As such, Agency officials no longer consider the PMO charter 10 or the Maturity\nModel and Implementation Plan to be valid documents. USAID, therefore, needs to\nclearly define the role of the PMO and develop a plan to implement the functions of the\nPMO. As such, we are making the following recommendation.\n\n     Recommendation No. 5: We recommend that the Director of USAID's Program\n     Management Office prepare and implement a detailed plan (including detailed\n     milestones, performance measures, and metrics) to establish a mature Program\n     Management Office that provides for a repeatable project-implementation\n     capability that analyzes, reduces, manages and mitigates project risk.\n\nEvaluation of Management Comments - In response to the draft audit report, USAID\nmanagement agreed to develop a Project Management Plan that will address\nimprovement/maturation of the Program Management Office (to the extent that budget\nand management priorities permit). The Agency also noted that an Action Memorandum\nhas been submitted to the Administrator to create a new program office and to\nreorganize the Management Bureau structure to allow for the creation of this new office.\nBased on the above, we consider that a management decision has been reached for\nRecommendation No. 5.\n\n\nCIO Not Provided Control To Ensure Sufficient Resources for an Effective IT\nGovernance Structure - In February 2001, the U.S. Government Accountability Office\nissued an Executive Guide on \xe2\x80\x9cMaximizing the Success of Chief Information Officers\xe2\x80\x9d\n(the Guide) to assist Federal agencies in maximizing the success of CIO organizations.\nThe Guide identifies principles and practices gleaned from case studies of three private\nand three public sector organizations recognized as leaders in successfully managing\ninformation technology investments, including the CIO function. In the Guide, the U.S.\nGovernment Accountability Office concluded that leading organizations adopt and use\nan enterprise-wide approach under the leadership of a CIO who has the responsibility\nand authority\xe2\x80\x94including budgetary control\xe2\x80\x94for IT across the entity.\n\nADS Chapter 541, \xe2\x80\x9cInformation Management,\xe2\x80\x9d provides the Agency's information\nmanagement framework to support its mission, goals, and objectives. According to\nsection 541.3:\n\n        [t]he CIO serves in a leadership role with overall responsibility and\n        authority for approving the Agency-wide information technology budget\n        and has overall responsibility for planning and budgeting activities for\n        information technology-related investments that benefit USAID.\n\nHowever, in practice, USAID\xe2\x80\x99s CIO does not have authority and control over the USAID-\nwide information technology budget\xe2\x80\x94although such control is important for an effective\nIT governance structure. Instead, USAID\xe2\x80\x99s Bureau for Policy and Program Coordination\n\n10\n  Because ADS Chapter 101 describes the roles and responsibilities of the PMO, revising the\ncharter is not necessary.\n\n\n                                                                                        12\n\x0c(PPC) is responsible for allocating resources within the Agency. Specifically, PPC\xe2\x80\x99s\nOffice of Resource Allocation is responsible for allocating appropriated funds to Agency\noperating units. In addition, a subdivision within PPC\xe2\x80\x99s Office of Strategic and\nPerformance Planning analyzes operating expense budgets, identifies resource policy\nissues and options, makes recommendations regarding budget levels and composition,\nand leads teams as needed to address specific strategy and budget issues associated\nwith assigned operating units. Both the CIO and PPC officials have confirmed that the\nCIO is not involved in the Agency-wide budget process for IT.\n\nFurther, as shown in USAID\xe2\x80\x99s organization chart (below), the CIO is a peer to other\noperational officers and competes with them for resources to carry out his\nresponsibilities.\n\n                           Table 1. USAID\xe2\x80\x99s Organization Chart\n\n\n\n                                  Office of the Administrator\n\n\n Office of the Administrator is at the top of the organization chart. The following report\n                                                                  Secretariats\n  directly to the Office of the Administrator: Bureau for Legislative     and Public Affairs,\n                   Bureau for Legislative\n   Bureau for Management/CIO,          Independent Offices, Regional Bureaus, and Pillar\n             Bureaus. andField\n                          PublicOffice\n                                 Affairsreport to the Regional and Pillar Bureaus\n                                                      Bureau for Management/\n                                                                CIO\n                     Independent Offices\n\n\n\n\n                      Regional Bureaus                          Pillar Bureaus\n\n\n\n\n                       Field Offices                            Field Offices\n\n\n\nAs a result, according to USAID officials, the biggest obstacle to implementing an IT\ngovernance structure has been insufficient resources to carry out the CIO\xe2\x80\x99s activities\nneeded to support the Agency. Moreover, USAID\xe2\x80\x99s lack of funding and human\nresources has hindered it in carrying out some of its critical information technology\nactivities, such as the EA and maturing the PMO.\n\nFor this reason, the Office of Resource Allocation and the Office of Strategic and\nPerformance Planning need to implement a process that provides the CIO the ability to\nexamine how Agency-wide information technology resources are spent. This would\nprovide the CIO an opportunity to ensure sufficient resources are available to carry out\nan effective information technology governance structure for the Agency. Therefore, we\nare making the following recommendation.\n\n   Recommendation 6: We recommend that the Directors of USAID\xe2\x80\x99s Office of\n   Strategic and Performance Planning and Office of Resource Allocation (within\n\n\n                                                                                            13\n\x0c     the Bureau for Policy and Program Coordination) implement a process to allow\n     the Chief Information Officer to examine how Agency-wide information\n     technology resources are spent in accordance with Automated Directives System\n     section 541.3, thus allowing the Chief Information Officer the ability to ensure\n     sufficient resources for an effective information technology governance structure.\n\nEvaluation of Management Comments - In response to the draft audit report, USAID\nmanagement agreed to modify applicable ADS sections to improve the assessment of IT\nsystems and resources \xe2\x80\x9cin use\xe2\x80\x9d and \xe2\x80\x9cplanned\xe2\x80\x9d and assure adequate resources are\navailable for IT governance processes. Based on the above, we consider that a\nmanagement decision has been reached for Recommendation No. 6.\n\n\nIT Resources Not Always Used Responsibly and IT Risks Not Always Managed\nAppropriately - As a result of the problems in USAID\xe2\x80\x99s IT governance structure\n(discussed on pages 5-12), USAID did not always use its IT resources responsibly and\nmanage its IT risks appropriately. Specifically, USAID experienced problems with its\nPSIP project and experienced some inefficiencies with its POD project. Moreover,\nUSAID may continue to (1) have difficulty aligning its IT with the business, (2) develop its\nsystems in a \xe2\x80\x9cstovepipe\xe2\x80\x9d manner, and (3) be unable to repeat its successes and thus\nmaximize IT resources. The following paragraphs discuss these impacts in detail.\n\n        Problems Led to Suspension of PSIP Project \xe2\x80\x93 As a result of weaknesses in\nUSAID\xe2\x80\x99s IT governance structure (discussed on pages 5-12, the PSIP project\nexperienced serious problems, ultimately leading to the decision to suspend the project\nafter spending approximately $4.3 million with no usable software to show for it.\nSpecifically, as discussed below, USAID did not (1) ensure the software was fully\ndeveloped prior to purchasing it, (2) effectively mitigate project risks, and (3) promptly\nrespond to the results of the independent verification and validation of the project.\n\n\xe2\x80\xa2\t      Software Not Fully Developed Prior to Purchase \xe2\x80\x93 USAID\xe2\x80\x99s program design\n        for its new procurement system called for the purchase of a commercial off-the\n        shelf (COTS) computer application. 11 A market study was conducted to\n        determine software available to fulfill the Agency\xe2\x80\x99s needs. However, a decision\n        to purchase one vendor\xe2\x80\x99s product was made prior to completing this selection\n        process. Further, USAID did not test the software application before purchasing\n        it to ensure that basic functionality for the procurement function was provided in\n        the software package. Instead, because the software application was still in\n        development at the time of purchase, USAID relied on claims from the software\n        vendor that the software would include the functionality of an earlier version and\n        operate in a web-based environment rather than a client-server environment. As\n        a result of these decisions, USAID paid for a software application in development\n        rather than a readily available COTS package. Moreover, although USAID spent\n        approximately $4.3 million for integration of this software application, it did not\n        receive a functional software application in return.\n\n11\n   COTS software or hardware products are ready-made and available for sale to the general\npublic and are designed to be incorporated easily into existing systems. According to best\npractices, IT today is primarily COTS with some tailoring. Generally, the rule of thumb is that the\nbuild-or-buy break point is 80 percent COTS and 20 percent tailoring. Thus, projects should plan\nfor 0\xe2\x80\x9310 percent tailoring to allow for unanticipated growth in tailoring or new codes.\n\n\n                                                                                                14\n\x0c\xe2\x80\xa2\t     Ineffective Mitigation of Project Risks - USAID did not effectively mitigate its\n       risk for its PSIP project. Specifically, USAID identified the \xe2\x80\x9cinability of the web-\n       based system to optimally perform in an overseas environment where the\n       network support may not be adequate for the remote missions\xe2\x80\x9d as a high risk to\n       the project. However, the Agency\xe2\x80\x99s risk-mitigation plan did not address this risk.\n       In particular, the mitigation plan was to investigate the web-based functionality,\n       rather than addressing concerns with system performance.                Further, the\n       mitigation plan was to focus initially on Washington, then on the missions.\n       However, the risk was the ability of the system to perform in an overseas\n       environment. Consequently, the risk-mitigation plan did not lower the identified\n       risk.\n\n\xe2\x80\xa2\t     Slow Response to Independent Verification and Validation (IV&V) Results \xe2\x80\x93\n       The purpose of the IV&V was to, among other things, independently (1) review\n       the PSIP processes against best practices, (2) identify PSIP program risks, and\n       (3) provide recommendations as appropriate. The IV&V report noted that the\n       project would have difficulty in meeting 64 gaps in mandatory requirements for\n       the software, data, configuration and/or procedural aspects of PSIP. Such\n       problems would pose serious risks to its performance, cost, and schedule.\n       Though the IV&V report was released in April 2005, the report states that in\n       January 2005, PSIP project managers were briefed on the IV&V results. Yet the\n       project was not suspended until late April 2005\xe2\x80\x94almost 5 months after PSIP\n       project managers were made aware of these serious problems.\n\nShortly after USAID\xe2\x80\x99s new PMO Director began, the PSIP project was suspended due to\nthe serious technical and functional issues with the software. By that time, USAID had\nspent approximately $4.3 million for software integration, of which $311,000 was for\n1,000 usage licenses and maintenance fees. USAID continued to pay $5,200 per month\nin maintenance fees (which, according to USAID officials, would continue until the\ncontract expired in September 2005), though no usable software had been delivered.\n(After audit fieldwork, USAID selected a different procurement package under the PSIP\nproject.)\n\nSome Undisciplined Practices Led to Deficiencies in POD Project Activities \xe2\x80\x93\nAccording to the PMO, the POD project team adopted PMO recommended standards.\nHowever, the lack of sufficient project oversight limited the Agency\xe2\x80\x99s ability to ensure\nmeaningful adoption of those standards. Consequently, USAID\xe2\x80\x99s internal controls were\nweakened in its capacity to ensure user requirements were met and project risks were\neffectively managed. Some of the deficiencies in the controls employed are discussed\nbelow.\n\n\xe2\x80\xa2\t     Inadequate Contingency and Risk-Mitigation Plans for High Project Risk \xe2\x80\x93\n       USAID identified performance problems of the system in low-bandwidth, high-\n       latency missions as a high risk to the project. (Bandwidth is the amount of data\n       that can be transmitted in a fixed amount of time or the capacity. Latency is the\n       amount of time it takes a data packet to travel from source to destination.\n       Together, latency and bandwidth define the speed and capacity of a network.)\n\n       However, risk-mitigation and contingency plans were not fully developed to\n       address the identified risk. (A risk plan describes the mitigation plan of specific\n\n\n                                                                                        15\n\x0c     activities necessary to eliminate or reduce the likelihood or probability of the risk;\n     while a contingency plan specifies a plan of specific activities that are to be\n     executed if the triggering events occur.) Specifically, although this risk was\n     identified at the onset of the project, the POD team did not develop its risk-\n     mitigation strategy to improve performance in low-bandwidth, high-latency\n     missions. In addition, although USAID identified the \xe2\x80\x9cpossibility of reorganizing\n     some of the overseas missions Controllers offices\xe2\x80\x9d as the contingency plan, it\n     did not document a detailed plan to reorganize. This is of particular concern\n     because the scheduled start date for deploying to the Asia Near East and Africa\n     regions\xe2\x80\x94where significant bandwidth and latency concerns have been\n     identified\xe2\x80\x94begins within the next two to six months. In response to the OIG\xe2\x80\x99s IT\n     Infrastructure Audit, the Chief Financial Officer committed to finalizing a business\n     contingency plan by November 2005. However, at the time of drafting our\n     evaluation comments, a business contingency plan had not been provided to the\n     OIG.\n\n     Currently, USAID has no business continuity plan in the event of disruption of\n     service with the Washington servers. Our review of the Plan of Action and\n     Milestones (POA&M) available during our audit fieldwork indicated that\n     November 2005 was the planned milestone date for completing the business\n     continuity plan. However, the necessity of having a business continuity plan in\n     place was made evident in a recent virus attack on the Washington server. Most\n     Phoenix users were unable to connect to the server on the day of the attack.\n     The POD technical team measured the document-processing activity inside\n     Phoenix and determined that the Phoenix users generated approximately\n     14 percent of the documents compared to before the attack. Mission users were\n     measured at only 4 percent.\n\n\xe2\x80\xa2\t   Data Migration Requirements Not Stable \xe2\x80\x93 Although the POD team took steps\n     to establish requirements during the planning phase of the project, its efforts did\n     not address the needs of all key stakeholders. As a result, USAID has\n     continually modified the data elements migrated in order to satisfy users\xe2\x80\x99\n     information needs.\n\n     Specifically, the requirements established for the pilot and Latin America and the\n     Caribbean (LAC) deployments included the Mission Accounting Control System\n     (MACS) Auxiliary Ledger (MAL) extract tables, and reference data from vendor\n     and agent/contractor tables from MACS. In November 2004, following the pilot\n     mission deployment, a conference was held to adjust the strategy, refine the\n     requirements, and incorporate lessons learned. The POD team learned during\n     the conference that the data migration should be modified to include the MACS\n     project elements data for bilateral obligations. Because the LAC deployment was\n     accelerated from April 2005 to February 2005, project element data was not\n     incorporated into the data migration strategy until the Europe and Eurasia (E&E)\n     regional deployment in July 2005. However, during the LAC deployment,\n     additional vendor data was migrated to include updated banking information.\n\n\n\n\n                                                                                        16\n\x0c       Then, during the most recent deployment to the E&E region, in addition to the\n       project element data, additional information from the pay file in the MACS\n       Payment Tracking System was also incorporated into the migration.\n\n       Rather than perform a thorough requirements assessment prior to deployment, in\n       each regional migration, additional MACS data was migrated in order to fulfill the\n       users\xe2\x80\x99 needs for information. With each modification to the data elements\n       migrated, additional programming and testing costs may be incurred to modify\n       the migration and data validation programs and conduct the required testing.\n\n\xe2\x80\xa2\t     System Upgrade Deployed Before It Was Ready \xe2\x80\x93 The Momentum software\n       upgrade included significant functional and technical enhancements. However,\n       the Agency accepted and authorized moving forward with the upgrade despite\n       the fact that (1) system and regression testing resulted in numerous open test\n       incident reports 12, (2) some significant functionality was deferred for future\n       releases of the software, and (3) certain reporting functionality was not system\n       tested. The POD team\xe2\x80\x99s \xe2\x80\x9cdeploy and fix\xe2\x80\x9d methodology became evident shortly\n       after the upgrade. Specifically, immediately after going live with the software\n       upgrade, the POD team prepared urgent change requests, to implement\n       32 needed changes that impacted several functional areas, including\xe2\x80\x94but not\n       limited to\xe2\x80\x94automated disbursements, accounts payable and credit cards.\n\n       In addition, the POD team did not conduct user acceptance testing the software\n       upgrade, which is designed to allow users an opportunity to test the software and\n       communicate concerns. Given the number of test incidents, the POD team\n       should have taken steps to conduct user tests of the software as configured to\n       ensure the software met their needs. (Helpdesk tickets showed problems with\n       disbursements, budgets, and other significant functions of the software.)\n\n\xe2\x80\xa2\t     Deficiencies with Data Migration, Validation and Clean-up \xe2\x80\x93 The POD team\xe2\x80\x99s\n       high-level phases to migrate the data were (1) configuration and set-up,\n       (2) validation and acceptance, and (3) production and cutover. However, some\n       problems were noted, as discussed below.\n\n       The methodology for migrating vendor data is to migrate MACS agents 13 to\n       Phoenix if they are used on an open obligation or commitment or if a payment\n       has been made to the agent since fiscal year 2001. Although this methodology\n       produced a significant number of vendor records lacking essential vendor data\n       (such as social security numbers, tax identification numbers, and addresses), the\n       POD team did not adjust the strategy to solve this issue. As a result,\n       approximately 36 percent of the vendor records for the LAC region were migrated\n       as miscellaneous vendor records. In a March 8, 2005 meeting, the Program\n       Management Team recognized this problem noting, \xe2\x80\x9cToo many vendors have\n       been categorized as miscellaneous.\xe2\x80\x9d\n\n\n\n12\n   The Test Incident Reports were used for documenting, tracking and resolving problems\nidentified during test execution.\n13\n   A MACS agent is an entity (e.g., vendor, employee) to whom USAID may make a payment.\nMACS agents are required to be in the MACS agent table in order for a payment to be made.\n\n\n                                                                                      17\n\x0c       In addition, in a March 22, 2005, conference call, Agency officials in the\n       Dominican Republic reported that they were \xe2\x80\x9c[r]eceiving checks from other\n       missions because of incorrect address lines. It happened this week with Jamaica\n       and last week with Haiti.\xe2\x80\x9d This issue could have very serious implications in\n       regards to the financial statements. Annually the Agency is required to estimate\n       and report the amount of erroneous payments for activities where the risk is\n       significant.\n\n       According to the Data Migration Validation Plan, the Validation team is\n       responsible for validating that the reference tables are populated correctly and\n       the transaction data are accurate. In other words, data validation is done to\n       ensure data integrity is maintained. For the mission data validation, the\n       crosswalks between MACS/MAL and Phoenix data elements are used to\n       translate historical and current-year MAL transactions accurately into Phoenix.\n       The Data Migration Validation team validates that the crosswalks and\n       corresponding data are mapped accordingly in the Phoenix system. However,\n       the LAC production validation results noted that, because the MAL records were\n       not cross-walked to the appropriate Phoenix table, (1) the error rate for advances\n       and advance liquidations of three missions exceeded the 2 percent threshold and\n       (2) the error rate for disbursements for non-\xe2\x80\x9dadvice of charge\xe2\x80\x9d exceeded the\n       acceptable error rate of 2 percent for two missions.\n\n       Finally, regarding data clean-up, rather than providing a remedy to correct some\n       data, the Data Migration team recommended that LAC exclude certain data from\n       the migration\xe2\x80\x94a recommendation that LAC accepted. By taking this approach of\n       not migrating problem data, the POD team is at risk of excluding essential data\n       that may be needed in the future.\n\n\xe2\x80\xa2\t     Difficulty Meeting Critical Reporting Needs \xe2\x80\x93 Although reporting was identified\n       as a high risk to the project, the POD team did not take appropriate measures to\n       ensure that reporting needs would be met. Specifically, the team did not\n       (1) effectively develop reporting requirements, (2) perform adequate user\n       acceptance tests of the reports before implementing them, and (3) complete their\n       operational readiness checks with respect to reports before going live. As a\n       consequence, the POD team experienced extreme difficulty meeting the critical\n       reporting needs of mission users.\n\nUnfortunately, the Agency\xe2\x80\x99s current governance structure, inadequate policies and\nprocedures and lack of adequate resources in the PMO, staged the current scenario for\nthe POD project to monitor itself. The lack of objective, independent project oversight for\nthe POD project limits USAID\xe2\x80\x99s ability to ensure that best practices are implemented as\ndescribed in copious documentation. Without enterprise-level policies and standards,\nUSAID will continue to subject itself to an endless cycle of ad-hoc implementation\npractices driven by aggressive deployment schedules.\n\n         Difficulty Aligning IT with Business \xe2\x80\x93 An IRM Strategic Plan should support\nthe Strategic Plan of the Agency and guide all IT investments to ensure they enable the\nbusiness of the Agency. By not having an updated IRM Strategic Plan\xe2\x80\x94a fundamental\ncomponent needed to successfully modernize its business systems\xe2\x80\x94USAID will have\ndifficulty aligning its IT with identified needs and priorities for addressing the challenges\nthat the Agency will face over the next five years. Specifically, USAID will have difficulty\n\n\n                                                                                          18\n\x0cintegrating its IRM decisions with organizational planning, budget, procurement, financial\nmanagement, human resources management, and program decisions.\n\n       Systems Developed in a \xe2\x80\x9cStovepipe\xe2\x80\x9d Manner \xe2\x80\x93 An EA should provide a\nstrategy that will enable the Agency to support its current state and also act as the\nroadmap for transition to its target environment. The primary purpose of the data\nreference model component of an EA is to promote the common identification, use, and\nappropriate sharing of data/information across the Federal government. At USAID, the\nPMO should serve as the body that ensures data from all projects are integrated/shared\nacross the Agency.\n\nHowever, because the EA not being fully developed and the PMO was not fully\nfunctional, USAID continues to build its systems in a \xe2\x80\x9cstovepipe\xe2\x80\x9d manner. Specifically,\nthere is no assurance that the data collected and the information reported by these\nsystems will be able to be shared across different systems. Further, there is no\nassurance that duplicate data will not be collected and stored\xe2\x80\x94resulting in inefficiencies\nand possible disparities.\n\nOne such example is the PSIP and POD projects. The accounting system (deployed by\nthe POD project) will contain some contract and obligation data (e.g., vendor name and\naward amount), which will also be contained or referenced by the procurement system\n(deployed by the PSIP project). Although USAID reviewed project interdependencies\nand established a committee to (among other functions) guide, at the executive-level,\nthe planning and implementation of USAID\xe2\x80\x99s core accounting and procurement systems\nin USAID/Washington and overseas missions, the projects are being managed in a\n\xe2\x80\x9cstovepipe\xe2\x80\x9d manner. For example, although PSIP required a future version of the\nsoftware, the POD project moved forward in deploying an earlier version, rather than\nensuring that the needs of both systems would be met.\n\nFinally, the accounting and procurement systems will need to be integrated at some time\nin the future\xe2\x80\x94which will lead to additional costs. Moreover, both projects are being\ndeveloped and implemented without the benefit of an EA. The goal of an EA is to define,\nmaintain, and implement an Agency-wide roadmap that achieves an Agency\xe2\x80\x99s mission\nthrough optimal performance of its core business processes within an efficient IT\nenvironment. The lack of this roadmap may result in the interdependencies between\nPSIP and POD not being identified\xe2\x80\x94resulting in inefficient business operations and\nunderlying IT support operations.\n\nAnother example of a problem caused by this \xe2\x80\x9cstovepipe\xe2\x80\x9d manner of developing systems\ncan be found in the relationship between the Executive Information System (EIS) and EA\nProjects. The purpose of the EIS is to collect data and use it to generate information\nneeded to operate the Agency and report results to customers inside and outside of the\nAgency. Similarly, the primary purpose of the EA project, in its data reference model, is\nto promote the common identification, use, and sharing of data/information across the\nFederal government and within the Agency. Therefore, the two projects are interrelated\nand should be coordinated or integrated. Yet they are not because the interrelations\nwere not managed due to their \xe2\x80\x9cstovepipe\xe2\x80\x9d structure. The EA has been managed by the\nPMO, and the EIS had been managed outside the PMO by a member of the CIO\xe2\x80\x99s\nstaff\xe2\x80\x94with little PMO involvement. (After OIG inquiries, the EIS was recently placed\nunder the auspices of the PMO.)\n\n\n\n                                                                                       19\n\x0cIn summary, USAID\xe2\x80\x99s IT initiatives address the requirements of one \xe2\x80\x9cstovepipe\xe2\x80\x9d\napplication, but does not consider requirements that overlap multiple projects.\nTherefore, USAID is at risk that the enterprise-wide requirements may not be satisfied in\nthe individual applications.\n\n         Inability to Repeat Successes and Thus Maximize IT Resources \xe2\x80\x93 Because\nUSAID did not fully establish its policies and procedures at the enterprise level, its\nprojects have relied on the methodologies of its contractors for many activities. As a\nresult, the successes of the projects are not necessarily a repeatable process for the\nAgency as a whole and, therefore, other IT initiatives may not be able to benefit from\nthose successes\xe2\x80\x94unless other projects engage the same contractors. Moreover, other\nIT initiatives may need to \xe2\x80\x9creinvent the wheel\xe2\x80\x9d\xe2\x80\x94costing additional time and money to\nimplement the projects. For example, even though the POD project experienced some\nproblems, to date USAID has implemented the system at 22 missions. However, those\nsuccesses may not necessarily be repeatable for the Agency.\n\nConclusions - An effective IT governance structure is essential for USAID to meet the\ngoals of its Business Transformation Plan to reform the Agency\xe2\x80\x99s management systems\nand improve organizational performance. In order to meet its desired transformations,\nUSAID must (1) align its IT with the business, enable the business and maximize\nresources; (2) use its IT resources responsibly; and (3) appropriately manage IT risks.\nMoreover, USAID's reputation may not survive another major unsuccessful attempt to\ndeploy its management systems. As such, we are making recommendations to help\nUSAID improve its information technology (IT) governance and thus reduce the risks\ninvolved in Agency IT initiatives. Further, our recommendations will help USAID to\ncorrect its longstanding material weakness in its Information Resource Management\nprocesses.\n\n\n\n\n                                                                                      20\n\x0cEVALUATION OF\nMANAGEMENT COMMENTS\nUSAID\xe2\x80\x99s Acting Chief Information Officer (CIO) and the Acting Director of Resource\nAllocation prepared a consolidated written response to our draft report.         The\nconsolidated response is included in its entirety in Appendix II of this report.\n\nIn their response, USAID agreed with and plans to take action on all six\nrecommendations. A summary of USAID\xe2\x80\x99s comment and our evaluation follows each\nrecommendation in the body of the report. Based on USAID\xe2\x80\x99s response, a management\ndecision has been reached on Recommendation Nos. 1, 2, 3, 4, 5 and 6.\n\nIn addition to the responses provided for our recommendations, the Agency prepared\nwritten technical comments on the effects of project risks reported.  The following\nsection provides our evaluation of the Agency\xe2\x80\x99s technical comments.          Where\nappropriate, we made changes to the report.\n\nThe Agency technical comments begin by stating, \xe2\x80\x9cWe are pointing out what may be\nfactual inaccuracies.\xe2\x80\x9d However, as shown in our analysis below, we believe that their\ncomments did not point out any factual inaccuracies.\n\n\xc2\x83\t Page 12, Fourth Paragraph: In its comments, USAID management stated,\n   \xe2\x80\x9cCharacterization of the PSIP Project as \xe2\x80\x9cUnsuccessful\xe2\x80\x9d is entirely incorrect and\n   premature.\xe2\x80\x9d The term \xe2\x80\x9cUnsuccessful\xe2\x80\x9d only appears in the subheading to this report\n   segment as \xe2\x80\x9cUnsuccessful PSIP Project.\xe2\x80\x9d In response to management concerns this\n   subheading was changed to \xe2\x80\x9cProblems Led to Suspension of PSIP Project\xe2\x80\x9d to more\n   closely match the report text. However, in its comments management acknowledged\n   that, in Fall 2005, it selected a new acquisition and assistance systems \xe2\x80\x9cto ensure\n   that the delivered COTS product met the needs of the Administrator\xe2\x80\x99s mandate and\n   the user community for acquisition and assistance actions.\xe2\x80\x9d This action resulted\n   from management having suspended the PSIP project after abandoning further\n   development of the \xe2\x80\x9cCOTS\xe2\x80\x9d product initially selected.\n\n\xe2\x80\xa2\t Page 13, First Paragraph: In its comments, USAID management stated, \xe2\x80\x9cReference\n   to software not fully developed prior to purchase is an inaccurate characterization of\n   the COTS product.\xe2\x80\x9d However, based on the following facts, we concluded that the\n   report\xe2\x80\x99s characterization of the software as not fully developed prior to purchase is\n   correct.\n\n   In reference to COTS, the USAID PSIP Implementation Plan, states that the project,\n   \xe2\x80\x9cemphasizes the use of Commercial-off-the-shelf (COTS) products \xe2\x88\x92 minimizing the\n   need for extensive software development.\xe2\x80\x9d However, as previously noted, in Fall\n   2005 USAID purchased alternative software due to shortcomings in the software\n   initially selected. In its own comments regarding the software initially selected\n   management states \xe2\x80\x9cthere were significant risks associated with the product\xe2\x80\x99s\n\n\n\n\n                                                                                      21\n\x0c   reliability and stability in the new technical platform. USAID felt that these risks were\n   too great to continue and conducted an analysis of alternate solutions to determine if\n   other systems better met USAID\xe2\x80\x99s needs out of the box.\xe2\x80\x9d\n\n   Our conclusion, also stated by management, was that \xe2\x80\x9cout of the box\xe2\x80\x9d the software\n   initially selected required more than minimal software development.\n\n\xe2\x80\xa2\t Page 13, Second Paragraph: In its comments, USAID management stated, \xe2\x80\x9cThe\n   PSIP Team disagrees with the assessment that USAID did not effectively mitigate its\n   risk for the PSIP project.\xe2\x80\x9d However, management\xe2\x80\x99s comments present only a\n   hypothetical description of actions that would have been taken had the project not\n   been suspended. Specifically, management stated that the intent was to conduct\n   tests in Washington and later develop a mitigation strategy for overseas. This\n   comment alone shows that USAID did not mitigate its high risk for PSIP, which was\n   \xe2\x80\x9cthe inability of the web-based application to optimally perform in an overseas\n   environment where the network support may not be adequate for remote missions.\xe2\x80\x9d\n\n\xe2\x80\xa2\t Page 13, Third Paragraph: According to USAID\xe2\x80\x99s management comments, the PSIP\n   Team disagrees with the assessment that their response to the Independent\n   Verification and Validation results was slow. However, as noted in the audit report,\n   in January 2005, PSIP managers were briefed on the initial Independent Verification\n   and Validation results\xe2\x80\x94which identified the same requirements gaps in the April\n   2005 final report.      Specifically, the Independent Verification and Validation\n   determined that the software would not meet 64 key requirements. Instead, USAID\n   continued with the project until shortly after USAID\xe2\x80\x99s new Project Manager Director\n   began.\n\n\xe2\x80\xa2\t Page 13, Fourth Paragraph: In its comments, USAID management stated, \xe2\x80\x9cFor\n   clarification, the continuance of the $5,200 was for software maintenance fees.\xe2\x80\x9d\n   Further, management stated that the continuance of those payments were necessary\n   to ensure the future use of the software, if needed. USAID management\xe2\x80\x99s\n   clarification is noted. Thus, we changed the report to reflect \xe2\x80\x9cmaintenance\xe2\x80\x9d fees\n   rather than \xe2\x80\x9clicensing\xe2\x80\x9d fees. However, as stated in the report, implementation of the\n   prior software was abandoned. This resulted in the payment of additional\n   maintenance fees of $26,000 that were of no use.\n\n\xc2\x83\t Page 14, Fourth Paragraph \xe2\x80\x93 Management stated that our characterization that their\n   contingency and risk-mitigation plans for the POD project as inadequate is not\n   entirely accurate because both risk mitigation and contingency plans have been\n   developed and adopted by the missions. Management further responded that the\n   risk mitigation plan is to purchase additional bandwidth to mitigate potential network\n   connectivity performance issues and the World Wide Vouchers Examiner (WWVE)\n   strategy serves as the business contingency plan. Because the information provided\n   in management\xe2\x80\x99s response was not provided during our fieldwork we were unable to\n   review and test the adequacy of the contingency and risk-mitigation plans. In\n   addition, because management\xe2\x80\x99s response did not include the date the risk\n   mitigation and contingency plans were developed it is unclear if these strategies\n   were in effect at the time that our audit fieldwork was being conducted. The Agency\n   also stated that in their analysis of Help Desk Remedy Tickets, Phoenix is\n   functioning at an acceptable level of performance. Although we did not evaluate\n\n\n\n                                                                                         22\n\x0c      system performance in this audit, in a February 2005 audit report, 14 we\n      recommended USAID (1) develop and implement formal performance goals for\n      transaction response times in Phoenix in all worldwide locations and (2) implement a\n      process to actively monitor transaction response times in Phoenix in all worldwide\n      locations.   To date, USAID has not taken final corrective action on either\n      recommendation. Nonetheless, this does not preclude the need for a contingency\n      plan.\n\n      In addition, management pointed out that in their response to our February 2005\n      audit report, 15 the Chief Financial Officer committed to finalizing a business\n      contingency plan. Although not stated in management\xe2\x80\x99s response to this report, the\n      CFO\xe2\x80\x99s plan was targeted to be completed by November 2005. At the time of drafting\n      our report, we had not been provided a copy of management\xe2\x80\x99s business contingency\n      plan. We have provided additional information in this report to explain that the\n      contingency plan had not been provided.\n\n      Management further stated that a finalized contingency plan was not critical until\n      after the Asia and Near East (ANE) deployment. Management correctly pointed out\n      that based on our findings during the IT Infrastructure Audit; the IG found that the\n      connectivity between pilot and LAC missions was reliable. However, we disagree\n      that a finalized contingency plan was not critical until after the ANE deployment. As\n      stated in our report, a contingency plan specifies a plan of specific activities that are\n      to be executed if the triggering events occur. In accordance with Appendix III to\n      OMB Circular No. A-130, Security of Federal Automated Information Resources and\n      the Paperwork Reduction Act, contingency planning for major applications are\n      required as a part of the Application Security Plan and should be incorporated into\n      the strategic IRM plan prior to the security plan\xe2\x80\x99s implementation.\n\n\xe2\x80\xa2\t Page 14, Fifth Paragraph \xe2\x80\x93 Management disagreed with the statement in our report\n   that USAID had no business continuity plan in the event of disruption of service with\n   the Washington servers. Management stated that \xe2\x80\x9cPOD had an actionable continuity\n   plan in place, based on the Department of State\xe2\x80\x99s Beltsville Information Management\n   Center (BIMC), in case USAID servers experienced a disruption in service.\xe2\x80\x9d Our\n   review of the Plan of Action and Milestones (POA&M) available during our audit\n   fieldwork indicated that November 2005 was the planned milestone date for\n   completing the business continuity plan. We have revised our report to include the\n   November 2005 milestone for completing business continuity plan.\n\n\xe2\x80\xa2\t Page 14, Sixth Paragraph and Page 15, Second Paragraph \xe2\x80\x93 Management objected\n   to our conclusion that the data migration requirements were not stable and stated\n   that our statements were not entirely accurate. We understood and took into\n   consideration the need for adjustments to the data migration strategy based on\n   lessons learned from the pilot deployment. However, our audit found that USAID\xe2\x80\x99s\n   subsequent adjustments to the migrated data were due in part to the difficulty in\n   meeting reporting requirements\xe2\x80\x94which impacted the migration effort. For example,\n\n14\n  Audit of USAID\xe2\x80\x99s Information Technology Infrastructure (Report No. A-000-05-006-P,\nFebruary 22, 2005)\n15\n     Ibid, footnote 14\n\n\n\n                                                                                            23\n\x0c     according to the February 2005 edition of the \xe2\x80\x9cPhoenix Flight,\xe2\x80\x9d the Reports Team\n     refined the data migration strategy after deploying Phoenix to the LAC region. The\n     purpose of the refinement was to add \xe2\x80\x9cMACS program element\xe2\x80\x9d under bilateral\n     agreements, which would provide more detailed reports to users. Moreover, this\n     refinement was made to solve some of the reporting problems that users were\n     experiencing.\n\n\xe2\x80\xa2\t Page 15, Third Paragraph \xe2\x80\x93 Management pointed out that test incident reports\n   (TIRs) are not equivalent or necessarily translate to change requests (CRs). We\n   agree that it is possible that TIRs do not necessarily translate to CRs. However, to\n   clarify our point, we revised our report to state that:\n\n          \xe2\x80\xa6the Agency accepted and authorized moving forward with the\n          upgrade despite the fact that 1) system and regression testing resulted\n          in numerous open test incident reports 16, (2) some significant\n          functionality was deferred for future releases of the software, and\n          (3) certain reporting functionality was not system tested.\n\n\xe2\x80\xa2\t Page 15, Fourth Paragraph - Management accurately pointed out that user\n   acceptance testing is not required under industry best practices for TIRs and/or to\n   address software changes/upgrades, when system and/or regression testing is\n   performed.     However, in our opinion, user acceptance tests of the system\n   functionality and reports should have been conducted given the results of the system\n   and regression test results.\n\n\xe2\x80\xa2\t Pages 15-16, Sixth Paragraph \xe2\x80\x93 Management objected to the presentation of\n   information related to the effect of data migration deficiencies identified during the\n   audit. In response to management\xe2\x80\x99s comments we have revised the report to\n   include our findings regarding erroneous payments in a separate paragraph for\n   clarity to the reader.\n\n\xe2\x80\xa2\t Page 16, Second Paragraph \xe2\x80\x93 Management did not agree with our statement that\n   \xe2\x80\x9cthe POD team is at risk of excluding essential data that may be needed in the\n   future\xe2\x80\x9d because \xe2\x80\x9cthe Data Migration team recommended that LAC exclude certain\n   data from the migration.\xe2\x80\x9d The basis for our concern with the data clean-up process\n   was to address one of the difficulties the Agency has experienced in the past in\n   reporting accurate and timely data for congressional data calls. In our opinion,\n   excluding data from the data migration as a strategy to address the data clean-up\n   process will not improve the Agency\xe2\x80\x99s ability to provide accurate and timely\n   information.\n\n\xe2\x80\xa2\t Page 16, Fifth Paragraph \xe2\x80\x93 Management stated that the comment in our report\n   regarding the lack of adequate resources was not entirely accurate. Our audit found\n   a lack of objective or independent project oversight. As stated in our report, we\n   found a lack of adequate resources in the PMO to provide independent project\n   oversight. In response to managements concerns we will include the word\n   \xe2\x80\x9cindependent\xe2\x80\x9d in our comment for clarity to the reader.\n\n16\n   The Test Incident Reports were used for documenting, tracking and resolving problems\nidentified during test execution.\n\n\n                                                                                      24\n\x0c\xe2\x80\xa2\t Page 17, Fourth Paragraph \xe2\x80\x93 In our report, we used POD and PSIP projects as an\n   example of USAID developing its IT systems in a stovepipe manner. In response,\n   management commented that \xe2\x80\x9csenior officials made it clear that the priority was to\n   deploy Phoenix overseas\xe2\x80\x9d and that stopping the POD project to wait for PSIP would\n   cause the POD schedule to slip and budget to increase. However, we did not state\n   that the POD project should have stopped to wait for PSIP. Instead, our comment\n   was to show that decisions for the POD project\xe2\x80\x94in this example the software\n   version\xe2\x80\x94were made without considering the needs of both projects.\n\n\xe2\x80\xa2\t Page 18, Third Paragraph \xe2\x80\x93 Management commented that our statements related to\n   the POD project success not being repeatable for other USAID projects were not\n   entirely accurate. Management supported their comments by pointing out the\n   Phoenix program management processes and procedures, such as the Risk\n   Management Plan, Quality Assurance Plan, Communications Strategy and Plan,\n   project and team charters, have been leveraged by other USAID business systems\n   initiatives such as JAMS and PSIP. In the report, we stated that the Agency adopted\n   risk management and quality control plans into its IT initiatives at the Agency level.\n   However, in our opinion the lack of enterprise level policies and procedures hampers\n   the agencies ability to repeat the same processes in other areas such as developing\n   requirements, data definitions, and system\xe2\x80\x99s testing.\n\n\n\n\n                                                                                      25\n\x0c                                                                            APPENDIX I \n\n\n\n\nSCOPE AND METHODOLOGY\n\nScope\nThe Office of Inspector General, Information Technology and Special Audits Division,\nperformed this audit in accordance with generally accepted government auditing\nstandards. The purpose of the audit was to determine whether USAID used Federal\nrequirements and best practices to implement an integrated process to manage and\ncontrol its Phoenix Overseas Deployment (POD) and Procurement System Improvement\nProgram (PSIP) projects. Audit fieldwork was conducted at USAID headquarters in\nWashington, D.C., from March 3, 2005, through August 22, 2005.\n\nAlthough we focused primarily on USAID's IT governance over its POD and PSIP IT\ninitiatives, we also considered the enterprise architecture and the Executive Information\nSystem IT initiatives as they related to POD and PSIP. As such, for the enterprise\narchitecture and Executive Information System, we performed only limited audit work.\n\nTo conduct the audit, we considered some IT processes within USAID's:\n\n\xe2\x80\xa2\t Identification of the way IT can best contribute to the achievement of the business\n   objectives.\n\n\xe2\x80\xa2\t Identification, development or acquisition of systems as well as the implementation\n   and integration of those systems into the business processes.\n\n\xe2\x80\xa2\t Actual delivery of required services.\n\n\xe2\x80\xa2\t Monitoring of IT processes for their quality and compliance with control requirements.\n\nHowever, we did not include IT security within the scope of our work.\n\n\nMethodology\nAs the framework for designing this audit, we used the July 2000 edition of the Control\nObjectives for Information and related Technology (released by the COBIT Steering\nCommittee and the IT Governance Institute). Based on initial interviews and reviews of\ndocumentation, we used our judgment to select which control areas were most critical to\nUSAID's IT governance process. Further, we tailored the suggested audit procedures to\nUSAID's environment.\n\nWe interviewed direct hires and/or contractors from USAID's Office of the Chief\nInformation Officer, including the Office of Information Resources Management and the\nProgram Management Office. In addition, we interviewed direct hires and/or contractors\nfrom USAID's Office of Financial Management and the Office of Acquisition and\nAssistance, who were responsible for the POD and PSIP projects, respectively.\n\nWe reviewed relevant laws, regulations, best practices, and USAID policies, procedures,\n\n\n\n                                                                                      26\n\x0cand guidance. We also reviewed Agency plans and documentation from the PMO as\nwell as from the PSIP and POD projects, including, but not limited to charters, plans, and\ncontracts. Finally, we reviewed results of other audits and reviews related to our audit\nobjective.\n\nUsing the above information, we identified areas that we perceived as high risk based on\nthe significance and sensitivity of that process and the likelihood that the particular\nprocess may not achieve its intended control objective. For those high-risk areas, we\nperformed tests to assess the adequacy of the IT controls. However, this audit was not\nsufficient to make definitive determinations of the effectiveness of IT controls that were\nnot considered to be high risk.\n\nA specific materiality threshold was not set for the audit. Instead, we used our judgment\nin determining sampling sizes to assess the Agency\xe2\x80\x99s IT governance.\n\n\n\n\n                                                                                       27\n\x0c                                                               APPENDIX II \n\n\n\n\nMANAGEMENT COMMENTS\n\n\n\n\n\n                                                          January 13, 2006\n\nMEMORANDUM\n\nTO:\t        IG/A/ITSA, Melinda G. Dempsey\n\nFROM: \t     M/CIO (Acting), John Streufert /s/\n            PPC/RA/PBI, Patricia Sommers /s/\n\nSUBJECT: Management Response to Office of Inspector General\xe2\x80\x99s Report:\nAudit of USAID\xe2\x80\x99S Information Technology Governance Over its Phoenix\nOverseas Deployment and Procurement System Improvement Program\nProjects (Draft Report No. A-000-06-00X-P, October 27, 2005)\n\n   Thank you for the opportunity to respond to the subject draft report. We\nappreciate your review and are providing our comments, other relevant\ninformation, and management decisions on the recommendations in the\nreport.\n\n   We feel that it is important to provide you with the current context\nimpacting the future of Information Technology Governance at USAID.\nThe Office of Management and Budget (OMB) has consistently expressed\nsupport for enhanced strategic and operational collaboration between the\nDepartment of State (State) and USAID. Both State and USAID have been\ndirected by OMB to use the Joint Enterprise Architecture as the vehicle for\nmapping the business functions of both organizations and identifying\npotential areas of duplication and realignment. OMB has instructed that the\nJoint Management Council (JMC) be responsible for prioritizing the\nfunctions to be examined and ensuring that transparent and actionable\n\n\n                                                                        28\n\x0cimplementation processes are in place to systematically drive business\nprocess change and produce results. OMB has further called for the\nestablishment of a Joint Program Management Office (JPMO) that would\nreport to the JMC to govern the execution of the Enterprise Architecture and\nits implementing projects.          To encourage adoption of their\nrecommendations, OMB has not supported funding the USAID Enterprise\nArchitecture or the USAID PMO in either FY06 or FY07. Additionally, the\nAA/M has recently sent an Action Memorandum to the Administrator\nrecommending approval to create a new program office for more effective\nand efficient management of Management (M) Bureau resources and to\nreorganize the M Bureau structure to allow for the creation of this new\noffice. The extent of the impact on the existing Program Management\nOffice is yet to be determined. Pending decision on the M Bureau\nreorganization and the formalization of the joint State-USAID management\nstructures and funding approach, USAID is able to continue a modest\ninvestment in improving IT Governance at USAID utilizing PMO Capital\nInvestment Funds allocated in FY05. Future process improvement activities\nwill be supported to the level that available funding and resources can be\nprovided and management priorities permit.\n\nManagement Decisions\n\nRecommendation No. 1: We recommend that the Chief of the USAID\nProgram Management Office's Business Enterprise Architecture Division\ndevelop and implement a plan to address the enterprise architecture needs of\nthe Agency.\n\nManagement Decision: The development and the implementation of the\nJoint Enterprise Architecture are currently being managed by the\nDepartment of State. The Joint Enterprise Architecture Completion and Use\nPlan Progress Report submitted to OMB by Department of State in May\n2005 provides a summary of the current status and planned actions for the\nJEA. In support of the Executive Information System (EIS) project,\nM/PMOBEA shall develop a data reference model (DRM) focusing on the\ndata that supports the program and activities management (April 2006).\nUnaddressed elements of the DRM, along with other reference model\ninformation will be developed as budget and management priorities permit .\nThe Business Enterprise Architecture Division, in concert with the Enabling\nTechnologies and Integration Division, will develop a project plan that will\naddress USAID's EA objectives (April 2006).\n\n                                                                         29\n\x0c   Recommendation No. 2: We recommend that the Chief of the USAID\nProgram Management Office's Enabling Technologies and Integration\nDivision develop USAID\xe2\x80\x99s policies and procedures for each phase and\nactivity of the Agency\xe2\x80\x99s project life cycle, including performance metrics\nand measures.\n\n   Management Decision: The Enabling Technologies and Integration\nDivision of the PMO was reorganized under the Office of Information\nResources Management effective November 27, 2005. The M/IRM/ETI\nDivision Chief will coordinate the development of USAID\xe2\x80\x99s IT Project\nManagement Control Manual (PMCM) that will describe the policies and\nprocedures for each phase and activity of the Agency\xe2\x80\x99s IT project life cycle\nand address performance metrics and measures. This manual will be a\nmandatory reference to the ADS. (September 2006)\n\n   Recommendation No. 3: We recommend that the Chief of USAID\nProgram Management Office's Enabling Technologies and Integration\nDivision prepare Agency policies and procedures for preparing Office of\nManagement and Budget Exhibit 300s to require that documentation be\nmaintained for cost estimates and that the cost estimates be validated.\n\n   Management Decision: The M/IRM/ETI Division Chief will develop\nguidance for preparing IT system life cycle cost estimates and their\nvalidation. This guidance will be a mandatory reference to the ADS. The\nEarned Value Management policies and procedures developed in response to\nRecommendation No. 4 will also include the requirement for validation of\nmajor investment performance baselines. The USAID Earned Value\nManagement Guide to be referenced in the policy will require formal change\ncontrol of performance baselines. (September 2006)\n\n  Recommendation No. 4: We recommend that the Chief of the USAID\nProgram Management Office's Enabling Technologies and Integration\nDivision codify USAID\xe2\x80\x99s policies and procedures for project risk\nmanagement, quality control, and earned value management in accordance\nwith USAID\xe2\x80\x99s Automated Directives System Chapter 501.\n\n   Management Decision: The M/IRM/ETI Division Chief will develop\nand codify USAID\xe2\x80\x99s policies and procedures for IT project risk\nmanagement, quality control, and earned value management in the ADS.\n\n                                                                         30\n\x0c(September 2006)\n\n   Recommendation No. 5: We recommend that the Director of USAID's\nProgram Management Office prepare and implement a detailed plan\n(including detailed milestones, performance measures, and metrics) to\nestablish a mature Program Management Office that provides for a\nrepeatable project-implementation capability that analyzes, reduces,\nmanages and mitigates project risk.\n\n   Management Decision: An Action Memorandum has been sent to the\nAdministrator recommending approval to create a new program office for\nmore effective and efficient management of M Bureau resources and to\nreorganize the M Bureau structure to allow for the creation of this new\noffice. The extent of the impact on the existing Program Management\nOffice is yet to be determined.\n\n   The Program Management Office (PMO) will develop a Project\nManagement Plan (PMP) that will address improvement/maturation of the\nPMO (to the extent that budget and management priorities permit). The\nPMO Director has awarded a task order under the PRIME 3.1 BPA to ICOR\nPartners, LLC for IT Governance and PMO support. The scope of the task\norder includes the development of an IT Governance Management Model\nand progress toward its implementation. The Task Order Management Plan\nmust be refined to reflect the impacts of the proposed M Bureau\nreorganization and to address current priorities which include responsiveness\nto these audit findings. The PMO Director or alternate CIO-designated\nmanager will provide the revised IT Governance and PMO Support Task\nOrder Management Plan, as modified, including detailed milestones,\nperformance measures and metrics. (February 2006).\n\n   Recommendation 6: We recommend that the Directors of USAID\xe2\x80\x99s\nOffice of Strategic and Performance Planning and Office of Resource\nAllocation (within the Bureau for Policy and Program Coordination)\nimplement a process to allow the Chief Information Officer to examine how\nAgency-wide information technology resources are spent in accordance with\nAutomated Directives System section 541.3, thus allowing the Chief\nInformation Officer the ability to ensure sufficient resources for an effective\ninformation technology governance structure.\n\n   Management Decision: The Paperwork Reduction Act and Division E of\n\n\n                                                                            31\n\x0cthe Clinger-Cohen Act of 1996 (also known as the Information Technology\nManagement Reform Act) require that information resources management\noperations and decisions be integrated with organizational planning, budget,\nfinancial management, human resources management, and program\ndecisions. The Chief Information Officer (CIO) is required to provide\nadvice and other assistance to the head of the executive agency and other\nsenior management personnel of the executive agency to ensure that\ninformation technology is acquired and information resources are managed\nfor the executive agency in a manner that implements the policies and\nprocedures of Division E of the Clinger-Cohen Act of 1996, consistent with\nchapter 35 of title 44, United States Code, and the priorities established by\nthe head of the executive agency.\n\n   As amplified by OMB Circular 130, Section 9a (3), the CIO\xe2\x80\x99s role is to\n\xe2\x80\x9cbe an active participant during all agency annual budget processes.\xe2\x80\x9d The\nCIO is fulfilling that role at USAID. The Agency\xe2\x80\x99s budget is developed and\napproved with many internal and external stakeholders, including Congress\nand the White House, based on many competing priorities. The IT budget is\nonly one of the factors that have to be considered in the negotiation of the\nAgency\xe2\x80\x99s budget.\n\n   The Chief Information Officer and Directors of USAID\xe2\x80\x99s Office of\nStrategic and Performance Planning and Office of Resource Allocation\n(within the Bureau for Policy and Program Coordination) will modify the\nAutomated Directives System (ADS) Chapter 541, \xe2\x80\x9cInformation\nManagement\xe2\x80\x9d, and others as required to improve the assessment of IT\nsystems and resources \xe2\x80\x9cin use\xe2\x80\x9d and \xe2\x80\x9cplanned\xe2\x80\x9d and assure adequate resources\nare available for IT governance processes (to include                analysis,\ndocumentation, execution, control, and oversight). This will be\naccomplished in two stages by documenting the systems in use and planned\nas part of the annual budget call for estimates by PPC with a list of systems\nthat the CIO will provide missions. With that data the CIO will analyze\nwhether there are sufficient resources to ensure effective governance in\nconsultation with PPC. In addition, the Agency will continue its efforts to\nensure sufficient resources for IT requirements. However, ultimately the\ntotal level of resources available to USAID for all operating costs is\ndetermined by Congress and IT must be balanced against other\nrequirements. (September 2006)\n\n\n\n\n                                                                           32\n\x0cTechnical Comments on Report\n\n   We are pointing out what may be factual inaccuracies. These are being\nprovided for your consideration in an effort to strengthen your report on this\nvery complicated and sensitive issue, especially considering the widespread\ninterest this audit may generate.\n\n\xc2\x83\t Page 12, Fourth Paragraph: Characterization of the PSIP Project as\n   \xe2\x80\x9cUnsuccessful\xe2\x80\x9d is entirely incorrect and premature. The decision to\n   suspend its implementation schedule was to allow the project team to\n   reassess its implementation strategy to ensure that the delivered COTS\n   product met the needs of the Administrator\xe2\x80\x99s mandate and the user\n   community for acquisition and assistance actions. Unsuccessful would\n   have been to allow the project to continue on its current course,\n   expending scarce resources to meet a delivery schedule that may not\n   result in meeting the Agency\xe2\x80\x99s functional requirements, and increase\n   project life cycle costs. As a result of the OMB mandate to partner with\n   the Department of State for the assistance component under the Joint\n   Assistance Management System (JAMS), USAID made the decision to\n   separate the JAMS and PSIP projects to more effectively satisfy the\n   mandatory requirements for each component while still meeting the\n   OMB mandate for JAMS.             Selections of the new assistance and\n   acquisition systems were made in the Fall 2005. A substantial amount of\n   the integration services that were performed for PSIP are being re-used\n   with the new JAMS and PSIP implementations, including the business\n   process flows, data migration, reporting requirements, and some\n   components of the system configuration. Additionally, work that was\n   performed to integrate NMS A&A with Phoenix will also be reused to\n   design and develop the interfaces between the new assistance and\n   acquisition systems and Phoenix.\n\n\xc2\x83\t Page 13, First Paragraph: Reference to software not fully developed\n   prior to purchase is an inaccurate characterization of the COTS product.\n   USAID conducted a market survey which identified several COTS\n   products that met the basic functionality for acquisition and assistance.\n   Additionally, the Department of State (State) provided USAID a\n   demonstration of their COTS procurement system to highlight how they\n   process their procurement transactions. The Department of State was\n   planning to migrate from Procurement Desktop to Momentum\n   Acquisitions to coincide with their financial migration to Momentum\n\n                                                                           33\n\x0c   Financials. At the time, USAID was also in the process of deploying\n   Momentum Financials.\n\n   Out of the box, the COTS solution provided the basic procurement\n   functionality and was very immature in its client base. The undeveloped\n   part was the data and field names to support the assistance business\n   processes. We were aware that certain requirement gaps would be\n   addressed in subsequent releases of the software, through product\n   customization, or through substantial business process reengineering.\n   Given that USAID and State were the first set of agencies to deploy the\n   web-version of the COTS product, there were significant risks associated\n   with the product\xe2\x80\x99s reliability and stability in the new technical platform.\n   USAID felt that these risks were too great to continue and conducted an\n   analysis of alternate solutions to determine if other systems better met\n   USAID\xe2\x80\x99s needs out of the box.\n\n\xc2\x83\t Page 13, Second Paragraph: The PSIP Team disagrees with the\n   assessment that USAID did not effectively mitigate its risk for the PSIP\n   project. The initial phase of PSIP implementation was for domestic\n   deployment. While configuring the COTS solution, the PSIP mitigation\n   strategy and plan was to leverage on-going performance testing\n   conducted by IRM and FM, and deployment of the COTS solution to\n   missions and posts with known bandwidth and connective issues. In the\n   meantime, PSIP had planned to conduct controlled tests to determine\n   specific PSIP functionality with the domestic configured system, such as\n   document generation and printing. The results of these performance tests\n   were to help develop the mitigation strategy for overseas deployment.\n   However, PSIP was preempted from executing the strategy when the\n   decision was made to suspend the implementation.\n\n\xc2\x83\t Page 13, Third Paragraph: The PSIP Team disagrees with the assessment\n   that their response to the Independent Verification and Validation results\n   was slow. PSIP commissioned an Independent Assessment to identify or\n   validate key issues, risks, and recommendations. The assessment noted\n   there were 64 mandatory requirements unresolved to be delivered. The\n   recommendation was to develop a plan to facilitate a timely resolution of\n   the gaps. The functional team had begun to reevaluate and reprioritize\n   the requirement gaps based on functional, technical, schedule, and cost\n   impact. The process of mitigating those requirements was through\n   business process reengineering, deferring the requirements in future\n\n                                                                           34\n\x0c   version releases, or customization. The suspension decision was based\n   on information that became known during April 2005. The notification\n   by the vendor that the version which Phoenix was going to deploy was\n   not a production candidate for PSIP. In addition, further technical issues\n   were identified during systems testing and the level of effort estimates to\n   address the requirement gaps through complex extensibility exceeded\n   expectations. The elevated set of risks prompted the decision to suspend\n   and notification was made on May 6, 2005.\n\n\xc2\x83\t Page 13, Fourth Paragraph: For clarification, the continuance of the\n   $5,200 was for software maintenance fees. At the time of suspension in\n   May 2005, it was unclear if the project would resume with the same\n   COTS solution and such a decision would not be known until September\n   2005. If USAID discontinued payment of the maintenance fee and it was\n   determined that the project resumed with the same COTS solution,\n   USAID would not have benefited from any version upgrade or patches to\n   be in sync with the financial version.\n\n\xc2\x83\t Page 14, Fourth Paragraph: Reference to an under-developed and/or\n   inadequate risk mitigation plan for POD is not entirely accurate. The\n   POD team developed and communicated the purchase of additional\n   bandwidth as a mitigation strategy to missions via email, Phoenix flights,\n   and teleconference calls. Missions in turn, adopted recommended\n   strategy by purchasing additional bandwidth to mitigate potential\n   network connectivity performance issues.           Missions\xe2\x80\x99 bandwidth\n   purchases      are     documented      in     the     NECS       website\n   (http://206.118.162.10/search.asp). Based on a Help Desk Remedy\n   Ticket analysis, Phoenix is functioning at an acceptable level of\n   performance in all pilot, LAC, and E&E controller missions.\n\n\xc2\x83\t Page 14, Fourth Paragraph: Reference to an under-developed and/or\n   inadequate contingency plan is not entirely accurate. The World Wide\n   Vouchers Examiner (WWVE) strategy was developed as an initial\n   contingency plan for POD, and was communicated to overseas controller\n   missions. Should a mission experience network connectivity issues, the\n   WWVE would be granted temporary authority to approve payments on\n   behalf of another mission, which differs from the regular Phoenix\n   operating environment where accountants, voucher examiners, etc. are\n   limited by security roles.\n\n\n\n                                                                           35\n\x0c   Further, it should be noted that in response to the IG\xe2\x80\x99s IT Infrastructure\n   Audit (Report No. A-000-05-00X-P), the Office of the CFO committed to\n   finalizing a business contingency plan. Performance testing between the\n   overseas missions and USAID/W indicated that connectivity between\n   pilot, LAC, and E&E missions and USAID/W was reliable. A finalized\n   contingency plan would not be critical until after the Asia and Near East\n   (ANE) deployment.\n\n\xc2\x83\t Page 14, Fifth Paragraph: We do not agree with the assertion that\n   \xe2\x80\x9cUSAID has no business continuity plan in the event of disruption of\n   service with the Washington servers.\xe2\x80\x9d POD had an actionable continuity\n   plan in place, based on the Department of State\xe2\x80\x99s Beltsville Information\n   Management Center (BIMC), in case USAID servers experienced a\n   disruption in service. Because this was a virus attack, the Agency did\n   not operate Phoenix from BIMC since the virus could have been spread\n   from USAID to the State Department via Phoenix. In addition, Phoenix\n   was unavailable for only two days.\n\n\xc2\x83\t Page 14, Sixth Paragraph and Page 15, Second Paragraph: Reference to\n   the POD team not performing a requirements assessment prior to\n   deployment and modifying migration data elements to meet stakeholders\xe2\x80\x99\n   needs is not entirely accurate. The data migration team thoroughly\n   assessed users\xe2\x80\x99 information requirements and established stakeholders\xe2\x80\x99\n   requirements prior to deployment. However, based on lessons learned\n   assessments post-deployment, data migration strategy was refined in\n   future deployments to more effectively address users\xe2\x80\x99 information needs.\n   Controllers signed off in agreement to the enhanced strategy in all\n   instances.\n\n\xc2\x83\t Page 15, Third Paragraph: Please note that test incident reports (TIRs)\n   are not equivalent or necessarily translate to change requests (CRs). All\n   TIRs classified as \xe2\x80\x9chigh\xe2\x80\x9d have to be addressed and closed immediately,\n   and all \xe2\x80\x9cmedium\xe2\x80\x9d TIRs must have a clear plan of action and a proposed\n   completion date with government approval.\n\n\xc2\x83\t Page 15, Fourth Paragraph: Please note that, based on industry best\n   practices, user acceptance testing (UAT) is not required for TIRs and/or\n   to address software changes/upgrades, when system and/or regression\n   testing is performed.\n\n\n\n                                                                          36\n\x0c\xc2\x83\t Pages 15-16, Sixth Paragraph: The documentation provided during the\n   audit shows that approximately 36% of total LAC vendor transactions\n   were migrated as miscellaneous, however this is not linked to the IG\xe2\x80\x99s\n   supposition that this would lead to erroneous payments. Based on the\n   Data Migration Strategy and Plan, some vendors were migrated as\n   miscellaneous if the vendor had no disbursement activity in the previous\n   two calendar years and was not recorded on an open obligation.\n   Additionally, essential vendor information/record was still captured and\n   migrated to Phoenix.\n\n   As a result, we do not agree with the assertion that the migration of\n   vendors as miscellaneous leads to serious implications to the Agency\xe2\x80\x99s\n   financial statements or to erroneous payments, neither of which have\n   been reported.\n\n\xc2\x83\t Page 16, Second Paragraph: We do not agree with the assertion that \xe2\x80\x9cthe\n   POD team is at risk of excluding essential data that may be needed in the\n   future\xe2\x80\x9d because \xe2\x80\x9cthe Data Migration team recommended that LAC\n   exclude certain data from the migration.\xe2\x80\x9d The bureau and the missions\n   all agreed, and signed-off, on the data migration approach for the LAC\n   missions based on their understanding of their own business operations.\n   There is nothing to indicate essential data that may be needed in the\n   future was excluded based on the data migration approach. Historical\n   transactions are in MACS for research purposes and LAC missions are\n   operating successfully on Phoenix with the data that was migrated.\n\n\xc2\x83\t Page 16, Fifth Paragraph: Reference to inadequate resources to monitor\n   the progress of the POD project is not entirely accurate. SRA and IBM\n   have been supporting the management of the Phoenix project by\n   providing project oversight based on industry best practices.\n\n\xc2\x83\t Page 17, Fourth Paragraph: The Phoenix team began planning the\n   overseas deployment in June 2003 and senior officials made it clear that\n   the priority was to deploy Phoenix overseas. PSIP would trail Phoenix\n   and adopt, if possible, the software used by Phoenix. To stop the\n   Phoenix overseas deployment and wait for PSIP to determine what\n   software they would use would cause the Phoenix budget to increase and\n   the schedule to slip.\n\n\n\n\n                                                                         37\n\x0c\xc2\x83\t Page 18, Third Paragraph: Reference to POD successes not being\n   repeatable for other USAID projects due to the heavy reliance on\n   contractors is not entirely accurate. Phoenix program management\n   processes and procedures, such as the Risk Management Plan, Quality\n   Assurance Plan, Communications Strategy and Plan, project and team\n   charters, have been leveraged by other USAID business systems\n   initiatives such as JAMS and PSIP.\n\n   We respectfully request that the comments above are addressed and/or\nincorporated in the final subject audit report.\n\n\n\n\n                                                                          38\n\x0cU.S. Agency for International Development \n\n        Office of Inspector General \n\n        1300 Pennsylvania Ave, NW \n\n          Washington, DC 20523 \n\n            Tel: (202) 712-1150 \n\n            Fax: (202) 216-3047 \n\n            www.usaid.gov/oig\n\x0c"